Questions to ask your penetration testing partner

Contributor: Skip Duckwall

A penetration test doesn't stop at simply uncovering vulnerabilities: it goes the next step to actively exploit those vulnerabilities to prove (or disprove) real-world attack vectors against an organization's IT assets, data, and users. Below, we'll discuss questions to ask (and what answers to look for) when evaluating a pen testing company.

We want to underscore that conducting penetration tests is especially important if your organization:

  • Has recently made significant upgrades or other changes to its IT infrastructure or applications
  • Has recently relocated to a new office
  • Has applied security patches; or
  • Has modified end-user policies

If you ask the right questions and the vendor asks you the right questions, the right partner for your current needs will become apparent. So what questions do you ask? That's a good first question. 

Questions you should ask the vendor (and why)

  • What is your process for performing the pen test?

Pen testing methods and techniques differ slightly from organization to organization, but some core activities are common across all penetration tests. Therefore, the vendor should be able to provide a straightforward outline of the steps and tools involved at each step in the process.

  • How do you scope this work?

Is this a cookie-cutter approach based on the number of assets? Do you take the time to talk with stakeholders to gain a better understanding of the work that is involved? Do they want to talk to engineers to understand how things work?

Some entities operate in a more cookie-cutter/assembly line without regard to your complexity or unique needs. This could indicate that the provider cares more about quantity than quality.  

  • What are the skills and experience of the team performing the test?

Are the majority of your staff considered Senior level? Junior? How much time will the Senior personnel vs. Junior personnel be working on this project directly? Some places give out lower rates because mostly junior people will do the work with minimal senior oversight. It is essential to ask about the experience levels and how much time they will be working on your project.

  • How much of the testing will use automated tools vs. manual tradecraft?

Automated testing can be good and bad. It can be an excellent way to find low-hanging fruit or something that requires more manual testing. However, some entities will use an automated tool to generate a report and mostly rebrand that as their report.

  • What can I expect as a deliverable?

Are you just going to get a report? Are you going to get a presentation? Detailed walkthroughs of critical findings? Good providers will provide more than just a report; they will give valuable collateral that can be immediately used to make your network/program/website more secure. A proper report should clearly state what applications or systems were tested and match each one to its vulnerability.

  • What should I do if I have further questions before/during/after the assessment?

Find out what the pre/during/post communication channels are like and ensure they suit your needs. For example, during the assessment, do you want status updates? How often? Do you want a technical session describing what's going on or simply a bullet-point list of highlights? What if you have questions after the report is delivered? The most important part of a successful relationship with your consultants is communication. 

Questions the vendor should ask you (and why they ask)

  • How often has this been tested in the past, and by whom?

Has this been tested before by external vendors? Did they uncover anything significant? Did they find what you expected them to find? Did you get good value from your previous vendor?

Understanding the testing history behind the project to be assessed can help the incoming vendor to understand what needs to be tested.

  • What are your most significant security concerns?

This question carries a lot of data we use to assess the client. The direct value is confirmation that the client knows what they should worry about, implying some level of overall security. The more information you provide, the better the assessment.

  • What is the most critical piece of information this system handles?

Understanding the criticality and sensitivity of the data makes for a better assessment.

  • Can we have (limited) access to the source code?

Since GRIMM engineers all have a development background, access to source code is vital to our testing. The more information you provide, the better the assessment.

  • How do they rate vulnerabilities that they find?

Understanding the methodology and reasoning behind evaluating a finding for risk allows you to ensure that the vendor aligns risk with your organizational approach. Do they use a standard scale or customize the severity based on the assessed item? For example, a cookie-cutter finding of severities often means a cookie-cutter assessment.

While hardly an exhaustive list, the considerations above should help you determine if the vendor you are speaking with has the right skills, approach, and operational perspective to provide the testing your application needs. GRIMM Cyber experts can help you create a custom penetration testing package to suit your needs. To schedule a consultation or to learn more, email: [email protected].